diff --git a/plugins/op_waf/t/bench/bench.sh b/plugins/op_waf/t/bench/bench.sh index dbf59ea0f..5eca7b668 100755 --- a/plugins/op_waf/t/bench/bench.sh +++ b/plugins/op_waf/t/bench/bench.sh @@ -19,10 +19,11 @@ fi # test -# $RUN_CMD a.lua +# $RUN_CMD simple.lua # $RUN_CMD test_gsub.lua # $RUN_CMD --shdict 'limit 10m' test_find_server_name.lua # $RUN_CMD --stap --shdict 'limit 10m' test_find_server_name.lua -$RUN_CMD test_rand.lua \ No newline at end of file +# $RUN_CMD test_rand.lua +$RUN_CMD test_ffi_time.lua \ No newline at end of file diff --git a/plugins/op_waf/t/bench/a.lua b/plugins/op_waf/t/bench/simple.lua similarity index 100% rename from plugins/op_waf/t/bench/a.lua rename to plugins/op_waf/t/bench/simple.lua diff --git a/plugins/op_waf/t/bench/test_ffi_time.lua b/plugins/op_waf/t/bench/test_ffi_time.lua new file mode 100644 index 000000000..1e8cfb866 --- /dev/null +++ b/plugins/op_waf/t/bench/test_ffi_time.lua @@ -0,0 +1,62 @@ +local function target() + ngx.re.find("hello, world.", [[\w+\.]], "jo") +end +for i = 1, 100 do + target() +end + +-- 以上为预热操作 +collectgarbage() + +local ffi = require("ffi") +ffi.cdef[[ + struct timeval { + long int tv_sec; + long int tv_usec; + }; + int gettimeofday(struct timeval *tv, void *tz); +]]; +local tm = ffi.new("struct timeval"); + +-- 返回微秒级时间戳 +local function current_time_millis() + ffi.C.gettimeofday(tm,nil); + local sec = tonumber(tm.tv_sec); + local usec = tonumber(tm.tv_usec); + return sec + usec * 10^-6; +end + + +ngx.update_time() +local begin = ngx.now() +local N = 1e7 +for i = 1, N do + target() +end +ngx.update_time() + +ngx.say("elapsed: ", (ngx.now() - begin) / N) + + +ngx.update_time() +local begin = ngx.now() +local N = 1e7 +for i = 1, N do + target() +end +ngx.update_time() + +ngx.say("elapsed[1]: ", (ngx.now() - begin) / N) + + + + +ngx.update_time() +local begin = current_time_millis() +local N = 1e7 +for i = 1, N do + target() +end +ngx.update_time() + +ngx.say("ffi elapsed: ", (current_time_millis() - begin) / N) \ No newline at end of file diff --git a/plugins/op_waf/t/index.py b/plugins/op_waf/t/index.py index af9b9111b..bbcd2805f 100644 --- a/plugins/op_waf/t/index.py +++ b/plugins/op_waf/t/index.py @@ -122,6 +122,18 @@ def test_UA(): print("user-agent test end") +def test_UA_for(num): + ''' + user-agent 过滤 + ''' + url = TEST_URL + print("user-agent test start") + for x in range(num): + url_val = httpGet__UA(url, 'ApacheBench') + print(url_val) + print("user-agent test end") + + def test_cdn(): ''' user-agent 过滤 @@ -200,14 +212,15 @@ def test_start(): # test_OK() # test_Dir() # test_UA() + test_UA_for(1000) # test_POST() # test_scan() # test_CC() # test_url_ext() - test_cdn() + # test_cdn() if __name__ == "__main__": - os.system('cd /Users/midoks/Desktop/mwdev/server/mdserver-web/plugins/op_waf && sh install.sh uninstall 0.1 && sh install.sh install 0.1') + os.system('cd /Users/midoks/Desktop/mwdev/server/mdserver-web/plugins/op_waf && sh install.sh uninstall 0.2.2 && sh install.sh install 0.2.2') os.system('cd /Users/midoks/Desktop/mwdev/server/mdserver-web/ && python3 plugins/openresty/index.py stop && python3 plugins/openresty/index.py start') test_start() diff --git a/plugins/op_waf/t/ngx_debug.sh b/plugins/op_waf/t/ngx_debug.sh index 5c777cc0f..ecd4cffdd 100644 --- a/plugins/op_waf/t/ngx_debug.sh +++ b/plugins/op_waf/t/ngx_debug.sh @@ -59,7 +59,7 @@ if [ ! -d /opt/FlameGraph ];then fi if [ $1 == "lua" ]; then - # /opt/openresty-systemtap-toolkit/ngx-sample-lua-bt -p 45266 --luajit20 -t 30 >temp.bt + # /opt/openresty-systemtap-toolkit/ngx-sample-lua-bt -p 377452 --luajit20 -t 30 >temp.bt /opt/openresty-systemtap-toolkit/ngx-sample-lua-bt -p $pid --luajit20 -t 30 >temp.bt # /opt/openresty-systemtap-toolkit/fix-lua-bt temp.bt >t1.bt /opt/openresty-systemtap-toolkit/fix-lua-bt temp.bt >${name}.bt diff --git a/plugins/op_waf/waf/lua/common.lua b/plugins/op_waf/waf/lua/common.lua index d4b606986..00a43ce9c 100644 --- a/plugins/op_waf/waf/lua/common.lua +++ b/plugins/op_waf/waf/lua/common.lua @@ -323,7 +323,7 @@ function _M.timer_stats_total(self) return self:write_file_clear(total_path,total) end -function _M.add_log(self, name, rule) +function _M.stats_total(self, name, rule) local server_name = self.params['server_name'] local total_path = cpath .. 'total.json' local total = ngx.shared.waf_limit:get(total_path) @@ -511,7 +511,7 @@ function _M.write_log(self, name, rule) local retry_time = config['retry']['retry_time'] local retry_cycle = config['retry']['retry_cycle'] - local count, _ = ngx.shared.waf_drop_ip:get(ip) + local count = ngx.shared.waf_drop_ip:get(ip) if count then ngx.shared.waf_drop_ip:incr(ip, 1) else @@ -525,10 +525,10 @@ function _M.write_log(self, name, rule) error_rule = nil end - local logtmp = {ngx.localtime(), ip, method, ngx.var.request_uri, ngx.var.http_user_agent, name, rule} - local logstr = json.encode(logtmp) .. "\n" - local count,_ = ngx.shared.waf_drop_ip:get(ip) - if count > retry and name ~= 'cc' then + local count = ngx.shared.waf_drop_ip:get(ip) + + self:D("count:"..tostring(count)) + if (count > retry) then local safe_count,_ = ngx.shared.waf_drop_sum:get(ip) if not safe_count then ngx.shared.waf_drop_sum:set(ip, 1, 86400) @@ -538,71 +538,37 @@ function _M.write_log(self, name, rule) end local lock_time = retry_time * safe_count if lock_time > 86400 then lock_time = 86400 end - logtmp = {ngx.localtime(),ip,method,ngx.var.request_uri, ngx.var.http_user_agent,name,retry_cycle .. '秒以内累计超过'..retry..'次以上非法请求,封锁'.. lock_time ..'秒'} - logstr = logstr .. json.encode(logtmp) .. "\n" - ngx.shared.waf_drop_ip:set(ip,retry+1,lock_time) - self:write_drop_ip('inc',lock_time) - end - self:write_to_file(logstr) - self:add_log(name,rule) -end + local logtmp = { + ngx.localtime(), + ip, + method,ngx.var.request_uri, + ngx.var.http_user_agent, + name, + retry_cycle .. '秒以内累计超过'..retry..'次以上非法请求,封锁'.. lock_time ..'秒' + } + local logstr = json.encode(logtmp) .. "\n" + retry_times = retry + 1 + ngx.shared.waf_drop_ip:set(ip, retry_times, lock_time) -local ffi = require("ffi") -ffi.cdef[[ - struct timeval { - long int tv_sec; - long int tv_usec; - }; - int gettimeofday(struct timeval *tv, void *tz); -]]; -local tm = ffi.new("struct timeval"); - --- 返回微秒级时间戳 -function _M.current_time_millis() - ffi.C.gettimeofday(tm,nil); - local sec = tonumber(tm.tv_sec); - local usec = tonumber(tm.tv_usec); - return sec + usec * 10^-6; -end - - -function _M.bench(self, waf_limit, sign, call) - local func_start = self.current_time_millis() - for i=1,waf_limit do - call() + self:write_drop_ip('inc',lock_time) + self:write_to_file(logstr) + else + local logtmp = { + ngx.localtime(), + ip, + method, + ngx.var.request_uri, + ngx.var.http_user_agent, + name, + rule + } + local logstr = json.encode(logtmp) .. "\n" + self:write_to_file(logstr) end - local func_end = self.current_time_millis() - local cos = func_end - func_start - - self:D("["..sign.."][start]:"..tostring(func_start)) - self:D("["..sign.."][end]:"..tostring(func_end)) - self:D("cos["..sign.."]:"..tostring(cos)) + + self:stats_total(name, rule) end --- 测试方法保留 -function _M.split_bylog_debug(self, str,reps) - local resultStrList = {} - - self:bench(1000000, "string.gsub",function() - string.gsub(str,'[^'..reps..']+', function(w) - table.insert(resultStrList,w) - return w - end) - end) - - -- string.gsub(str,'[^'..reps..']+', function(w) - -- table.insert(resultStrList,w) - -- end) - - self:bench(1000000, "ngx.re.gsub" ,function() - ngx.re.gsub(str,'[^'..reps..']+', function(w) - table.insert(resultStrList,w[0]) - return w - end, "ijo") - end) - - return resultStrList -end function _M.get_real_ip(self, server_name) local client_ip = "unknown" diff --git a/plugins/op_waf/waf/lua/init.lua b/plugins/op_waf/waf/lua/init.lua index 235d9ce85..e139b56d4 100644 --- a/plugins/op_waf/waf/lua/init.lua +++ b/plugins/op_waf/waf/lua/init.lua @@ -199,9 +199,11 @@ end local function waf_drop() - local count , _ = ngx.shared.waf_drop_ip:get(ip) + local ip = params['ip'] + local count = ngx.shared.waf_drop_ip:get(ip) if not count then return false end - if count > config['retry'] then + + if count > config['retry']['retry'] then ngx.exit(config['cc']['status']) return true end @@ -244,11 +246,8 @@ local function waf_cc() local lock_time = (endtime * safe_count) if lock_time > 86400 then lock_time = 86400 end - -- lock_time = 10 ngx.shared.waf_drop_ip:set(ip, 1, lock_time) - C:write_log('cc',cycle..'秒内累计超过'..waf_limit..'次请求,封锁' .. lock_time .. '秒') - C:write_drop_ip('cc',lock_time) ngx.exit(config['cc']['status']) return true else @@ -410,10 +409,10 @@ local function post_data_chekc() if not ac then return false end - list_list=nil + list_list = nil for i,v in ipairs(ac) do - list_list='--'..v + list_list = '--'..v end if not list_list then return false end @@ -443,8 +442,10 @@ end local function X_Forwarded() + if params['method'] ~= "GET" then return false end if not config['get']['open'] or not C:is_site_config('get') then return false end + if C:is_ngx_match(args_rules,params["request_header"]['X-forwarded-For'],'args') then C:write_log('args','regular') C:return_html(config['get']['status'],get_html) @@ -647,8 +648,8 @@ function waf() if post_data_chekc() then return true end if site_config[server_name] and site_config[server_name]['open'] then - if X_Forwarded() then return true end - if post_X_Forwarded() then return true end + -- if X_Forwarded() then return true end + -- if post_X_Forwarded() then return true end -- url_path() if url_ext() then return true end -- url_rule_ex()